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THE AMENDMENTS 

In The Claims 

1 . (currently amended) A method of controlling access to a network, comprising: 
requesting an identity from a client attempting to connect to the network; 
receiving the identity; 

associating location information with the identity; 
authenticating the identity; 

comparing the location information against a policy designating locations, if any, at 
which the client is permitted to connect to the network; and 

deciding whether to grant or deny the client access to the network based on the 
authenticity of the identity and the comparison of the location information; 

wherein if the client is granted access to the network, and subsequently moves to a new 
location, the network follows a procedure to either re-authenticate or no t re-authenticate the 
client; and 

wherein if. pursuant to the procedure, the client continues to have access to the network 
after moving to the new location, the client's access at the new location will be base d on policies 
of the new location. 

2. (original) The method of claim 1, further comprising: 

passing the identity and the location information to an authentication server, wherein the 
authentication server performs the steps of authenticating, comparing and deciding. 

3. (currently amended) The method of claim 2, further comprising the steps of w herein 

operating the authentication server which is a RADIUS server that operates with Steel- 
Belted Radius. Enterprise Edition; 

wherein RADIUS attributes of an access request packet are defi ned as type length 
values (TLVs) that contain additional information , 
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wherein vendor specific attributes fVSAs) indicate a vendor ID, and a sting field 
encoding a sequence of one or more vendor TLVs 

4. (original) The method of claim 1 , wherein the identity includes information selected 
from the group consisting of a user name, a user password, a certificate, a media access control 
(MAC) address, a shared encryption key, a smart card identifier, and any combination of the 
foregoing information. 

5. (original) The method of claim 1 , wherein the client is a user station capable of 
connecting to the network through an access point. 

6. (original) The method of claim 1 , wherein the client is a wired device capable of 
connecting to the network through an Ethernet switch port. 

7. (currently amended) The method of claim 1, further comprising: 

using as an authentication [[a]] mechanis m selected from the group consisting of TLS, 
TTLS, an MD5 protocol . EAP TTLS, EAP TLS, and any combination of the foregoing to 
authenticate the identity. 

8. (original) The method of claim 1, wherein the location information indicates the location 
of a network switch to which the client is attempting to connect. 

9. (original) The method of claim 1, wherein the location information indicates the location 
of an edge device for connecting the client to the network. 

10. (currently amended) A network system, comprising: 

an authenticator for requesting an identity from a client and for associating location 
information with the identity ; and 

an authentication server, receiving the identity and associated location information from 
the authenticator, for deciding whether to grant or deny the client access to the network based on 
the identity and the location information; 
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wherein if the client is granted access to the network system, and subsequently moves to a 
new location, the network system follows a procedure to either re-authenticate or not re- 
authenticate the client; and 

wherein if, pursuant to the procedure, the client continues to have access to network 
controlled by the network system after moving to the new location, the client's access at the new 
location will be based on policies of the new location. 

1 1 . (original) The network system of claim 10, wherein the authenticator resides in a 
network switch. 

12. (original) The network system of claim 10, wherein the authenticator resides in an edge 
device. 

13. (original) The network system of claim 10, further comprising: 
an edge device for connecting a user station to a network switch. 

14. (original) The network system of claim 13, wherein the edge device is a wireless access 
point. 

15. (original) The network system of claim 4, wherein the user capable of connecting to the 
network through the access point. 

16. (original) The network system of claim 10, wherein the client is a wired device capable 
of connecting to a network switch through an Ethernet port. 

17. (original) The network system of claim 10, wherein the location information indicates 
the location of a network switch to which the client is attempting to connect. 

1 8. (original) The network system of claim 1 0, wherein the location information indicates 
the location of an edge device for connecting the client to the network. 

19. (original) The network system of claim 18, further comprising an interface for permitting 
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an administrator to associate the location information to the edge device. 

20. (original) The network system of claim 10, wherein the authentication server is included 
in a network switch. 

21 . (original) The network system of claim 10, wherein the authentication server 
authenticates the identity. 

22. (original) The network system of claim 10, wherein the authentication server includes a 
policy designating locations, if any, at which the client is permitted to connect to the network. 

23. (currently amended) The network system of claim 10, further comprising. ^vhefem 

the authentication server is a RADIUS server that operates with Steel Belted Radius, 
Enterprise Edition; 

wherein RADIUS attributes of an access request packet are defined as type length values 
(TLVs) that contain additional information; and 

wherein vendor specific attributes (VSAs) indicate a vendor ID. and a sting field 
encoding a sequence of one or more vendor. 

24. (original) The network system of claim 10, wherein the identity includes information 

selected from the group consisting of a user name, a user password, a certificate, a Media access 
control (MAC) address, a shared key, a smart card identifier, and any combination of the 
foregoing information. 

25 . (currently amended) The network system of claim 1 0, further comprising a network 
switch that comprises: 

an authentication mechanism selected from the group consisting of TLS, TTLS, 
comprising an MD5 -protocol . EAP TTLS, EAP TLS, and any combination of the foregoing for 
authenticating the identity. 
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26. (original) The network system of claim 10, wherein the authentication server comprises: 

an authentication mechanism selected from the group consisting of TLS, TTLS, MD5, 
EAP-TTLS, EAP-TLS, and any combination of the foregoing. 

27. (currently amended) A network system, comprising: 

a plurality of edge devices capable of communicating with a plurality of user stations over 
one or more wireless channels; 

a network switch including a plurality of ports for connecting the edge devices to a 
network; 

an application running on the network switch, for requesting station identities from the 
user stations and for associating location information with each of the station identities; and 

an authentication server for deciding whether to grant or deny each of the user stations 
access to the network based on the corresponding identity and location information; 

wherein if the client is granted access to the network system, and subsequently moves to a 
new location, the network system follows a procedure to either re-authenticate or not re- 
authenticate the client; and 

wherein if, pursuant to the procedure, the client continues to have access to network 
controlled by the network system after moving to the new location, the client's access at the new 
location will be based on policies of the new location . 

28. (original) The system of claim 27, wherein at least one of the edge devices is a wireless 
access point. 

29. (original) The system of claim 27, wherein at least one of the edge devices is a wireless 
access point. 
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30. (original) The system of claim 27, wherein the location information indicates the location 
of the network switch. 

3 1 . (original) The system of claim 27, wherein the location information indicates the location 
of one of the edge devices. 

32. (original) The system of claim 27, wherein the network switch includes an interface for 
permitting an administrator to associate the location information to the edge devices. 

33. (original) The system of claim 27, wherein the network switch includes an authenticator 
for authenticating the station identities. 

34. (original) The system of claim 27, wherein the authentication server authenticates the 
station identities. 

35. (original) The system of claim 27, wherein the authentication server includes a policy 
designating locations, if any, at which the user stations are permitted to connect to the network. 

36. (currently amended) The system of claim 27. further comprising.^ hefetR 

the authentication server is a RADIUS server that operates with Steel Belted Radius. 
Enterprise Edition; 

wherein RADIUS attributes of an access request packet are defined as type length values 
(TLVs) that contain additional information ; and 

wherein vendor specific attributes (VSAs) indicate a vendor ID, and a sting field 
encoding a sequence of one or more vendor. 

37. (original) The system of claim 27, wherein the station identities includes information 
selected from the group consisting of a user name, a user password, a certificate, a media access 
control (MAC) address, a shared key, a smart card identifier, and any combination of the 
foregoing information. 

38. (currently amended) The system of claim 27, further comprising: 
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Aan authentication mechanism s e l e cted from th e group consisting of TLS, TTLS, 
comprising an MD5 protocol , EAP TTLS, EAP TLS, and any combination of th e for e going for 
authenticating the identity. 

39. (currently amended) A network system for controlling access to a network, comprising: 
means for requesting an identity from a client attempting to connect to the network; 
means for receiving the identity; 

means for associating location information with the identity; 
means for authenticating the identity; 

means for comparing the location information against a policy designating locations, if 
any, at which the client is permitted to connect to the network; and 

means for deciding whether to grant or deny the user station access to the network based 
on the authenticity of the identity and the comparison of the location information; 

wherein if the client is granted access to the network system, and subsequently moves to a 
new location, the network system follows a procedure to either re-authenticate or not re- 
authenticate the client; and 

wherein if, pursuant to the procedure, the client continues to have access to network 
controlled by the network system after moving to the new location, the client's access at the new 
location will be based on policies of the new location. 

40. (original) The system of claim 39, wherein the identity includes information selected 
from the group consisting of a user name, a user password, a certificate, a media access control 
(MAC) address, a shared key, a smart card identifier, and any combination of the foregoing 
information. 

4 1 . (original) The system of claim 39, wherein the client is a wireless device capable of 
connecting to the network through an access point. 
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42. (original) The system of claim 39, wherein the client is a wired device capable of 
connecting to the network through an Ethernet port. 

43. (currently amended) The system of claim 39, wherein the authenticating means includes: 

an authentication mechanism sel e ct e d from th e group consisting of TLS, TTLS, 
comprising an MD5 protocol , EAP TTLS, EAP TLS, and any combination of the foregoing for 
authenticating the identity. 

44. (original) The system of claim 39, wherein the location information indicates the location 
of a network switch to which the client is attempting to connect. 

45. (original) The system of claim 39, wherein the location information indicates the location 
of a edge device for connecting the client to a network switch. 
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